Currently most Nostr signer extensions like Nos2x, Nos2x-fox and Alby require permissions to "access data from all websites" which I feel is a bit excessive with regards to user privacy. Although I trust that the extension may not do anything with the data from other websites, I feel there could be a way for the user to configure a list of domains on the extension properties or options to allow access to data just for those domains.

Here is how I envision this to work:

1. User installs the extension and the extension allows probably just access to data for a default list of Nostr client domains like astral.ninja, snort.social...etc and clicks to 'Allow' during extension installation phase.
2. The user inputs their private key and saves it on the extension
3. The user is then presented with another options page on the extension to setup list of Nostr web client domains to allow access for data for the extension to sign events as per NIP-07 or NIP-04.
4. The extension sees only data for those list of websites/domains added.

An example of an extension that does this is Sponsorblock which allows only Youtube domains or user configured local or external domains.

I will be cross posting this on nos2x and alby extension GitHub repositories as well for a more open discussion.

I think I may have answered my own question in a way.

On Google Chrome you can do this now by going to extensions > extension details > site access > Allow this extension to read and change all your data on websites you visit > Can choose on click or on specific sites and define a list of sites or perform an 'on click' action to self-authorize reading or changing of data.

On FireFox the option is not readily available in the add-ons page. So, I still need to figure out how to do this.

I think I may have answered my own question in a way.

Yes, that is the correct way of doing this, not on extension level. Extensions can decide not to load on certain domains, like Blockcore Notes does with an deny-list (stops from loading) and allow-list (shows green validated domain).

I think I may have answered my own question in a way.

Yes, that is the correct way of doing this, not on extension level. Extensions can decide not to load on certain domains, like Blockcore Notes does with an deny-list (stops from loading) and allow-list (shows green validated domain).

After some research, I found out that Firefox does not yet support a setting for extensions to restrict 'Allow access to all domains data", unlike Chrome. The idea has been open for discussion for sometime now, but unavailable yet.

However, I think adding probably an options page input field to add domains and then controlling the 'content_scripts' permissions for 'matches' for list of user defined domains would be a nice to have.

Good discussion! To be honest, I also was not happy with the "Access data from all websites". However I never did much research into it (thank you for doing it).

Given that there is no native way of putting that restriction in place, I don't know if it makes much sense to implement it at the extension level.
The reason I would like to restrict domains, as you mention in your first message, is in case I don't fully trust the extension. So, if the extension is the one handling that, I'm not much better. Let's say the extension has malicious code or is hacked somehow, the extension-level domain restriction won't do any good in preventing the attack.
To be honest, I'm not sure how helpful that could be.

Good discussion! To be honest, I also was not happy with the "Access data from all websites". However I never did much research into it (thank you for doing it).

Given that there is no native way of putting that restriction in place, I don't know if it makes much sense to implement it at the extension level. The reason I would like to restrict domains, as you mention in your first message, is in case I don't fully trust the extension. So, if the extension is the one handling that, I'm not much better. Let's say the extension has malicious code or is hacked somehow, the extension-level domain restriction won't do any good in preventing the attack. To be honest, I'm not sure how helpful that could be.

I agree! For now I have modified the extension to allow only domains I need it to give access to under content_scripts > matches from '<all_urls>' to the Nostr client domains, until Firefox adds this functionality in the browser itself. I was able to get it signed to self use.

I'll probably write a guide for others to maybe do the same or run it unsigned with the browser setting xpinstall.signatures.required as false. I'm not a fan of that change in Firfox configuration since it could lead to potentially having other extensions being installed maliciously, but I guess maybe a separate browser profile or browser could be used for Nostr.

I'll close this for now as I think I can work out with my modified extension's manifest.json. Thanks for the inputs everyone!